CVE-2025-57350
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-10-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keyangxiang | csvtojson | to 2.0.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a prototype pollution issue in the csvtojson package (versions prior to 2.0.10). It occurs because the package does not properly sanitize nested header names when parsing CSV data. Malicious CSV files can include specially crafted headers that manipulate the JavaScript Object prototype (using __proto__ syntax), causing unintended modifications to the base Object prototype. This can lead to altered behavior in applications that rely on unmodified prototype chains.
How can this vulnerability impact me? :
The vulnerability can cause denial of service conditions or unexpected behavior in applications that process untrusted CSV data using the csvtojson package. Since the prototype chain can be modified, it may lead to application instability or security issues when the application relies on the integrity of the Object prototype.
What immediate steps should I take to mitigate this vulnerability?
Update the csvtojson package to version 2.0.10 or later to ensure the prototype pollution vulnerability is fixed. Avoid processing untrusted CSV data with vulnerable versions until the update is applied.